Understanding the Language of External Identity Management

Organizations today rely on a wide variety of partners, third-parties, consultants, contractors, and other contingent labor to perform critical functions and compete in today’s economy. Depending on the industry and the size of the business, organizations might be managing hundreds — if not thousands — of third-party relationships and non-employee identities. Managing this complexity starts with a new organizational mindset and a commitment to process change. To that end, we have created this handy guide for you to share with your business stakeholders to get on the same page with a common language and definition of terms.

Terms About People – Defining Your B2B Populations

Getting to a common language around your external user types can help your business stakeholders develop clear policies around access. At Saviynt, we start with three broad categories of external users:

Terms About Relationships – Defining the Nature of How Internal and External Teams Interact Around Access

External Worker: an individual performing a service for the primary organization who is either hired by a contractor, partner, or on behalf of themself as a freelancer.

Organization Administrator/External Stakeholder: a designated point of contact within the external entity responsible for communicating about individuals employed by them to provide a service for the primary organization.

Sponsor/Internal Stakeholder: a designated internal point of contact for a particular third-party vendor, who is responsible for onboarding, managing and offboarding the external entity and its employees.

The following teams also play a role:

Governance, Risk & Compliance (GRC): The GRC team, often led by a Chief Compliance Officer or General Council is responsible for ensuring that the company complies with national, global and industry standards. Auditors do the work of reviewing activity, including IAM processes, from a set time period to attest that standards were met. Generally, reviewing employee access is straightforward, as access originates from an authoritative HRIS source. When it comes to external identities, attesting compliance can be much more difficult due to the distributed nature of internal and external management relationships.

Human Resources (HR): is responsible for managing employee records through an HR Information System (HRIS) like Workday, Oracle or SAP that acts as a system of record for employee identity data and job roles. In some organizations HR is also tasked with onboarding system access for external workers, but this can be challenging since they often lack the visibility into the terms of the engagement and the nature of the work they will perform.

IAM Team: also plays a critical role in an organization's cybersecurity and IT operations. Their primary focus is to manage user identities and control access to resources, ensuring security, compliance, and efficient workflows. 

Procurement/Vendor Management Teams: develop and maintain relationships with suppliers. They perform activities like contract negotiation, performance monitoring, and risk assessment to optimize value and minimize risks associated with vendor relationships. 

Security Team: This team is responsible for protecting the organization against cyber threats, containing active breaches and investigating incidents. Since most breaches have an identity component, ensuring that users have least privilege access and that access is removed when the user is no longer with the company.

Terms About Tools and Processes Involved in Managing External Identity Risk

Duplicate Identity Management: Duplicate identities can lead to excessive access, fraud, audit failure and an increased risk of a successful cyber attack. There are a number of scenarios in external user access that can put your organization at risk for duplicate identities, such as:

• An ex-employee becomes a contractor and maintains the same level of access in their new role can carry the risk of over-provisioned access if the contractor role requires less privileges than the internal employee role they once had. 
• An ex-employee is fired for cause but is subsequently hired by one of your contractors and ends up doing work for your company as an external employee. This can leave your organization vulnerable to a wide variety of issues, including legal trouble.
• Separation of Duty (SoD) violations can also result from poor IAM hygiene when consultants move from one contract to the next.

Principle of Least Privilege (PoLP): is a fundamental security concept that dictates that users, applications, systems, or processes should only have the minimum level of access necessary to perform their specific tasks or functions. By restricting access to only what's essential, organizations reduce the risk of unauthorized access, data breaches, or misuse of privileges. Related terms include just-enough access (JEA) and just-in-time access (JIT access) – a security control that assigns least privilege credentials on a limited time basis.

Role-Based Access Control (RBAC): A security mechanism for limiting access to systems and resources based on a user’s “role.” The goal of RBAC is to prevent security breaches and protect critical systems by managing identity roles and access privileges. RBAC can be applied to protect your organization’s critical assets from your riskiest user population – third-party, B2B users.

System of Record (SOR): centralizes identity data, providing a single source of truth that is always up-to-date and accurate. Internal employees have specific processes to onboard and offboard, most of which are handled centrally by HR and managed in an HRIS or HCM system of record. External resources, like brokers, contractors, or contingent workers have varied, often elaborate processes to onboard or intake identity information. Maybe the vendor contract is managed out of one department, but the individual users report to a different internal team. To manage risk in this distributed model, a single SOR for all external identities can help improve visibility and centralize access control. 

Third-Party Risk Management (TPRM): is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers.TPRM software provides companies with visibility into potential security and compliance exposures that vendors and suppliers could introduce through the use of assessments and surveys. TPRM is not the same as external identity management which provides fine-grained access controls governing what external users can do with your organization’s IT assets, including data and applications.

Zero Trust: A cybersecurity model based on the principle of “never trust, always verify” and PoLP. Zero Trust combines least privilege with strong authentication policies and granular access controls, supported by a robust, flexible identity platform which provides complete visibility into all users – including employees, non-employees, and machines – and their access. 

Saviynt and External Identity Management

With internal and external identity governance in a single converged identity solution, Saviynt helps organizations establish risk-based access policies to control the entire third-party access lifecycle from first introduction to relationship completion.This approach enables you to get more value from Saviynt’s Identity Cloud including:

• A single repository for identity & entitlement data supporting all identity populations
• Better company registration & user invitation processes
• More comprehensive risk mitigation 
• Better compliance outcomes sooner

Learn more about the first steps to adopting a modern and comprehensive approach to external identity management.